STATEMENT OF
JOHN T. SPOTILA
ADMINISTRATOR, OFFICE OF INFORMATION AND REGULATORY AFFAIRS
OFFICE OF MANAGEMENT AND BUDGET
SUBMITTED TO
THE SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
COMMITTEE ON GOVERNMENT REFORM
UNITED STATES HOUSE OF REPRESENTATIVES

May 15, 2000

Mr. Chairman and members of the Committee, thank you for inviting me here to present the
Administration's views on H.R. 4049, the "Privacy Commission Act." As Administrator of
OMB's Office of Information and Regulatory Affairs, I care deeply about the protection of
privacy. In 1998, OIRA took on enhanced responsibility for coordinating privacy policy
throughout the Administration. OIRA already had policy responsibility under the Privacy Act
of 1974, which applies to federal government systems of records. Now it plays a cental
coordinating role for privacy policy more generally. Last year, OMB appointed its first Chief
Counselor for Privacy, Peter Swire, to be the point person in this coordination effort. Peter is
with me here today.

The President and the Vice President are committed to the protection of individual privacy. As
President Clinton said on April 30, when announcing his new financial privacy proposal: "From
our earliest days, part of what has made America unique has been our dedication to freedom,
and the clear understanding that real freedom requires a certain space of personal privacy." Vice
President Gore showed similar leadership in 1998 when he called for an Electronic Bill of
Rights, emphasizing that we should all do our part to protect individual privacy, relying on
private sector leadership where possible, on legislation when necessary, on responsible
government handling of personal information, and on an informed public.

In studying the proposed findings for H.R. 4049, we find much common ground. We agree that
Americans are increasingly concerned about the security and use of their personal information.
We agree that the shift from an industry-focused economy to an information-focused economy
calls for reassessing the way we balance personal privacy and information use. As
Administrator of OIRA, I work extensively on information policy issues relating to computer
security, privacy, information collection, and our transition to the electronic delivery of
government services. In these and other areas, we are working hard to gain the advantages that
come from new technologies while guarding against possible costs to privacy and security that
can come from badly crafted uses of those technologies.

In some areas, we already know that we must act swiftly to protect privacy and security. Indeed,
the Administration's biggest concern with H.R. 4049 is the risk that some might use the
Commission as a reason to delay much-needed privacy legislation. We understand that
supporters of H.R. 4049 have emphasized that it should not be used as a reason for delay. But
we are also aware from public reports that those who oppose privacy reform would prefer to
have Congress study the issue indefinitely rather than take action. In the Administration's view,
such delay would be unwise. We cannot afford to take a year and a half off in protecting
Americans' privacy. We believe that action is needed now in the areas of financial privacy,
medical records privacy, and genetic discrimination.

Before addressing specific aspects of H.R. 4049, it would be useful to review recent federal
privacy initiatives.

Overview.

There have been extensive initiatives by the Federal government since 1993 to study and take
appropriate action in the area of privacy protection. Study of privacy was an integral part of the
National Information Infrastructure project, sometimes called the "information superhighway"
effort, with the issuance in 1995 by an inter-agency Privacy Working Group of "Principles for
Providing and Using Personal Information." (See: Privacy Working Group of the Information
Infrastructure Task Force, www.iitf.nist.gov/ipc/ipc-pub.html.) This effort was led by OIRA.
With Administration support, Congress has passed privacy legislation including the Drivers'
Privacy Protection Act of 1994 (motor vehicle records), the Telecommunications Act of 1996
(authority for the Customer Proprietary Network Information regulations), the Health Insurance
Portability and Accountability Act of 1996 (authority for the currently proposed medical
privacy regulations), the Children's Online Privacy Protection Act of 1998 (children's online
records), the Identify Theft and Assumption Deterrence Act of 1998 (deterrence of identity
theft), and the Gramm-Leach-Bliley Act of 1999 (financial records).

In the online world, the Administration has encouraged self-regulatory efforts by industry. For
especially sensitive information -- such as medical, financial, and children's online records --
legal protections are required. Recent activities have included:

When children go online, parents should give their consent before companies gather personal
information. Websites aimed at children must get such consent under the Children's Online
Privacy Protection Act of 1998 and accompanying rules that went into effect in April of this
year.

The Department of Commerce, the Federal Trade Commission, the White House Electronic
Commerce Working Group, and other parts of the Federal government have undertaken a wide
array of studies, reports, workshops, and other activities to address issues of online privacy. As
one example, a public workshop last fall challenged the industry to address concerns about
"online profiling," in which companies collect data, in ways few people would suspect, about
individuals surfing the Internet.

In the international sphere, the Department of Commerce has taken the lead in creating "safe
harbor" principles for transfers of personal information between the European Union and the
United States. These principles, to which the European Commission has now agreed,
recognize the appropriateness of effective self-regulatory regimes. In developing the
principles, the Department has sought public comment on four separate occasions.

The President signed the Identity Theft and Assumption Deterrence Act of 1998. This
March, the Department of the Treasury hosted an Identity Theft Summit to assist in the
prevention, detection, and remediation of the significant problem of malicious misuse of
another person's personal information for fraudulent purposes.

The Administration continues to build privacy protections into its own activities. Last year,
for instance, all Federal agencies successfully posted clear privacy policies on their websites.
Programs are now underway to strengthen Government computer security to provide new
privacy safeguards for personal information held by the Government. The new Privacy
Subcommittee of the Chief Information Officers Council is undertaking initiatives to ensure that
privacy is effectively built into government information technology systems.

Financial records.

Congress discussed financial privacy intensively in the course of its financial modernization
debate last year. As the President pointed out when signing the law, the modernization law took
significant steps to protect the privacy of financial transactions, but did not go far enough. The
President asked OMB, the Department of Treasury, and the National Economic Council to craft
a legislative proposal to close loopholes under existing law. On April 30, he announced his plan
to protect consumers' financial privacy. This plan would include:

Consumer choice: Giving consumers the right to choose whether a firm can share consumer
financial information with third parties or affiliated firms.

Enhanced protection for especially sensitive information: Requiring that a consumer give
affirmative consent before a firm can gain access to medical information within the financial
conglomerate, or share detailed information about a consumer's personal spending habits.

Access and correction: Giving consumers a new right to review their information and
correct material errors.

Comparison shop on privacy policies: Giving consumers privacy notices upon application
or request so they know how information is protected before a customer relationship is
established.

These provisions were introduced in the House as H.R. 4380, attracting immediate and
substantial support in both the House and the Senate. As Secretary of the Treasury Lawrence
Summers emphasized on March 7, "It's time to start now."

Medical Records.

There has been a longstanding appreciation in the United States that individual medical records
include especially sensitive information. Disclosing medical data can reveal what is happening
inside a person's body, such as a report that a person is HIV positive, or inside a person's mind,
such as the transcript of a session with a psychotherapist. The Federal government has
recognized these concerns at least since 1973, when the Department of Health, Education, and
Welfare first announced the basic fair information practices that underlie privacy policy today.

Congress recognized the need for legal protection of medical records when it passed the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). After extensive discussions
with stakeholders and as required by HIPAA, the Secretary of Health and Human Services
issued her recommendations for health privacy legislation in September 1997. Congress was
unable to meet the HIPAA deadline for enacting comprehensive privacy legislation by August
21, 1999. Accordingly, the President and Secretary Shalala announced proposed privacy
regulations on October 29 of last year. It was HHS's goal to make the regulation process open
to those who wanted to communicate their concerns in person. HHS met with many individuals
and organizations to hear their concerns and clarify provisions of the proposed rule. HHS
received over 53,000 submissions of comments by the February 17, 2000, deadline. HHS is now
considering those comments, and the regulations will become final this year.

Although the medical privacy regulations will become final this year, there is a pressing need
for further Congressional action. As HHS Assistant Secretary Margaret Hamburg testified in
February of this year: "Health information privacy is a top priority for the Department and the
Administration, and we continue to believe that legislation is the only way to achieve the goal."
President Clinton explained some of the reasons for legislation when he proposed the privacy
regulations last October. The Administration is especially concerned that the enforcement
powers under current law are not as effective as they should be. We recommend federal
legislation that would allow punishment of those who misuse personal health information and
redress for people who are harmed by its misuse. Administration officials have testified often
on what should be included in medical privacy legislation, and we urge that there be no delay on
this subject.

Genetic Discrimination.

This February 8, President Clinton signed an executive order that prohibits every federal
department and agency from using genetic information in any hiring or promotion action. This
order ensures that critical health information from genetic tests not be used against federal
employees. The President has also endorsed the Genetic Nondiscrimination in Health Insurance
and Employment Act of 1999, introduced by Senator Daschle and Congresswoman Slaughter,
which would extend these protections to the private sector and to individuals purchasing health
insurance. As with financial and medical privacy, legislation is before the Congress to address
especially sensitive personal data -- genetic information on individuals. The time to act on each
of these issues is now.

* * * *

Let me turn now to the specifics of H.R. 4049.

The Scope and Structure of the Proposed Commission.

As indicated earlier, the Administration has significant concerns that the Study Commission
might be used by some as an excuse for delaying needed activity in privacy protection. These
concerns are especially acute for topics such as medical, financial, and genetic information
where good legislative proposals are before the Congress now. There has already been
extensive discussion of these proposals within the Congress and among the stakeholders.
Further study of these topics by the Commission would duplicate the public examination that
has already taken place, without adding real value. The proposed medical privacy rules that
become final this year will be the result of a multi-year process that generated over 53,000
public comments, many in extensive detail. These comments show a need for further action,
not further study.

We recognize that the Congress needs to make its own judgments on these matters, and we
defer to it in its assessment of what it needs to inform those judgments. It seems sensible,
however, to adopt a focused approach to exploring these topics. Ideally, any further study
efforts should be done within a short time frame and would build on, not duplicate, existing
studies.

If there were to be a Commission, contrary to our recommendation, we should ensure that it
focuses its efforts in an effective way. Again, we are concerned about potential delay. Casting
too broad a net would delay the work of any new Commission, with uncertain results. We note,
for example, that the treatment of data collected on-line has been the subject of extensive
hearings in Congress, as well as public workshops, public comments, studies, and reports by the
Department of Commerce and the White House Electronic Commerce Working Group. The
Federal Trade Commission is about to issue a major report. We recognize that this is a
complicated area that requires careful evaluation and an understanding of new technology. It is
not clear, however, that a Commission lasting 18 months will give decisionmakers the help they
need.

Indeed, rather than have a Commission pursuing a very broad set of topics, it might be more
productive to have technology and policy experts address specific, emerging issues that have not
yet benefitted from much attention. One targeted way to study such privacy issues might be to
enlist the expertise of the National Academy of Sciences/National Research Council or other
appropriate bodies. The NAS/NRC has extensive experience in creating blue-ribbon groups
with the expertise to provide insight into difficult policy problems. In the privacy area, the
NAS/NRC has already produced studies such as "Cryptography's Role in Securing the
Information Society" (1996) and "For the Record: Protecting Electronic Health Information"
(1997). Perhaps we should call on it again.

The NAS/NRC's Computer Science and Telecommunications Board is currently exploring
funding for a study on "Authentication Technologies and Their Privacy Implications." The
problem identified for this study arises from the need to identify people in a trustworthy
way-that is, to authenticate people-in order to facilitate business and other activities over the
Internet. Many of the possible ways to identify people have privacy implications since they
involve individuals turning over a good deal of personal information -- from a mother's maiden
name to credit card numbers or other information that could put an individual at risk if revealed
to unauthorized persons. As technology develops, our society needs to understand how to make
authentication work in a way consistent with preserving privacy.

Another useful study topic, which similarly does not require a Commission, could be biometrics
and privacy. "Biometrics" refer to fingerprints, iris scans, and other physical indicators of
identity. Since many companies are now exploring the commercial deployment of biometric
technology, now is a good time to assess the public policy of biometrics and privacy. If
deployed carefully, biometrics could protect privacy by placing less reliance on sending credit
card numbers or other sensitive information over the Internet. If deployed badly, however,
biometric technology could create new privacy risks, such as if biometrics were used to record
each room an employee enters while on the job. A study of this subject, taking proper account
of new technological developments, could increase the likelihood that biometric systems will be
more sensitive to privacy concerns as they become widely used.

For all these reasons, we believe there are sound alternatives to a Privacy Commission. If,
nonetheless, legislation creating such a Commission moves forward, then we have specific
concerns about certain provisions in H.R. 4049. For instance, as with other commissions on
many important national issues, the President should have a greater role in appointing
Commission members. In addition, the current section 7(c) is objectionable because it could be
interpreted as requiring Executive Branch agencies to turn over confidential or classified
information to the proposed Commission. The text could read that agencies "may," rather than
"shall" furnish that information.

As I emphasized earlier, we share with the Congress a very strong interest in protecting privacy
and look forward to working with you to find suitable new ways to improve that protection. We
understand the good intentions motivating the Congressional sponsors of H.R. 4049. Despite
our reservations about the specifics of this bill, we welcome the commitment to privacy
protection that they seek to demonstrate.

Mr. Chairman and Members of the Committee, thank you once again for the invitation to
discuss these issues.